Oracle Java Security Challenges - What you need to know

Oracle Java Security Challenges

What You Need to Know

Oracle Java Security Challenges - What You Need to Know

Oracle has changed the Java support policy which states that any Oracle / Sun Microsystem Java Standard Edition (SE) – including JRE, JDK etc. on Long Term Support (LTS) release or non-LTS would need a paid license/ support or subscription from Oracle for Oracle Java SE Advance/ Desktop in order to receive commercial patches including security support, starting back on April 16, 2019.  The majority of Java customers worldwide use Oracle Java version 6, 7, 8 (LTS) and 11 (LTS). This is applicable for all customers be it an Oracle or non- Oracle shop. This change significantly impacts all organizations with unplanned budgets.

In fact Oracle has replaced the Binary Code License (BCL) agreement with its standard Oracle Technology Network with Audit clause (OTN) agreement with all Java releases on Oracle Java SE starting with version 11 onwards. We provide you the details below: 

Which Version Security Update / Patch Update Requires a Paid Subscription?

Due to Oracle’s support policy changes for Java, customers can’t receive free security updates starting April 16, 2019.  Hence most recent security patch updates require commercial subscription under standard Oracle license policy condition:

Kit Update Released
Java™ SE Development Kit 8, Update 211/ 212 April 16, 2019
Java™ SE Development Kit 8 Update 221 (JDK 8u221) July 16, 2019
Java™ SE Development Kit 7 Update 221/222 April 16, 2019
Java™ SE Development Kit 7 Update 231 July 16, 2019
Java™ SE Development Kit 11.0.3 under OTN so requires subscription even with installation of version 11
Java™ SE Development Kit 11.0.4 under OTN so requires subscription even with installation of version 11

These Security Patches Have Fixes for Following Vulnerabilities:

1. Vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified component, e.g., through a web service which supplies data to the APIs

2. Vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers that load and run only trusted code (e.g., code installed by an administrator)

3. Vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

The next security patch release on Java is expected on October 15, 2019 available under commercial subscription.

What is Your Java OPEX Impact?

A typical small environment of less than 1,000 desktops and servers with 1,300 cores can have an OPEX outlay as below:

Oracle Java Security Challenges - What you need to know

While a large state environment can have a substantial OPEX impact:

Oracle Java Security Challenges - What you need to know

SoftwareONE Advisory Approach to Address this Challenge

  • Technical assessment to be performed on client machines, servers (Physical/ Virtual), Cloud instances for JRE/JDK installations.

  • Optimization to be performed for bundling Java usage with products from vendors providing Java support- Oracle, IBM, Red Hat, SAP, AWS etc.

  • Assessment of AdoptOpenJDK and OpenJDK based on Java application rationalization.

  • Finally subscribing to commercial Java support from Oracle and/ or Azul systems and /or IBM/Red Hat.

Oracle Java Security Challenges - What you need to know

Looking for More?

SoftwareONE Oracle and Java global advisory team has years of  consulting experience on technology, compliance and commercial. Please reach out to us for the latest in Oracle Java advisory guidance.

Meet the Oracle support team

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Abhiskek Gupta

Abhishek Gupta

Global Oracle / Java Practice Leader

Publisher Advisory | Oracle Global

Related Articles

Gaining License Clarity Prior to Your Move to SAP S/4 HANA

As organizations prepare to migrate to SAP S/4HANA, license management has become an even more pressing concern. Find out how SoftwareONE can help.

multilayer-edr-xdr-is-next

Multilayer EDR (XDR) is Next

Most organizations don’t want to work with EDR due to the huge number of alerts to manage. Cross-layer EDR (XDR) can be the solution. Find out how.

Endpoint Security: What you need to know about "Next-Gen" EDR

"Next-Gen" EDR

Combining EDR and SIEM might be the ideal way of fighting cyber security risks. But why isn’t EDR enough? Learn more about the challenges of standalone EDR and how it differs from SIEM.